Recap -- Cybersecurity: Threats to Communications Networks and Public-Sector Responses

The House Subcommittee on Communications and Technology held a hearing to examine threats to America’s communications networks, what the public sector is doing to address those threats, how it is working with the private sector, and what role the federal government should play in securing communications networks. The Subcommittee heard from witnesses representing the Federal Communications Commission, the National Telecommunications and Information Administration, the Department of Homeland Security, Carnegie Mellon’s Computer Emergency Readiness Team, and Sandia Laboratories.

In general, Republicans said the government should encourage voluntary industry standards and not insert itself in a way that would reduce private industry's flexibility in responding to threats.

Democrats on the panel gave a shout-out to those ISP efforts, but suggested that the government also needed a way to ensure accountability to those voluntary standards. Rep. Henry Waxman (D-CA) made the strongest case for stronger government involvement. He suggested that reliance solely on voluntary efforts might not be sufficient, say, dealing with a company that was less diligent in its best practices and caused a cyber-breach to critical infrastructure. He said that if industry wants exemptions from antitrust and other consumer laws in order to share info with the government -- it does -- then it should be willing to be held accountable for not abusing that freedom.

James Barnett, chief of the FCC's Public Safety and Homeland Security Bureau, said he supports giving the government new regulatory powers to protect against cyber attacks. He endorsed the regulatory provisions of the Cybersecurity Act, a bill authored by Sens. Joe Lieberman (I-CT) and Susan Collins (R-Maine). The legislation would give the Homeland Security Department the power to require that critical systems, such as electrical grids, meet minimum cybersecurity standards. Barnet also said that ensuring cybersecurity doesn't mean giving up privacy or undermining Internet freedom. "Sacrificing privacy or Internet openness for security is a false choice," Barnett said. "We must insist on having all three, and we strongly believe that this is achievable."

Subcommittee Chairman Greg Walden characterized some of the testimony as disturbing, then even more disturbing as witnesses talked about the threats. They included an attack on the Department of Commerce's Economic Development Administration that took the network down for several weeks and counting. It also included this sobering assessment from Bob Hutchinson, of Sandia National Laboratories, a government-funded national research lab: "The most important lesson I have learned in my career is that computer systems can never be fully trusted, can never be proven free of compromise, so we must focus on finding ways to conduct business, even critical business, on machines that are presumed to be infected," he said.